@vorionsys/security 1.0.0

package/dist/security/service-auth/service-token.js

@@ -0,0 +1,472 @@
+/**
+ * Service Token Management
+ *
+ * JWT-based service tokens with short TTL for service-to-service authentication.
+ * Tokens are issued after HMAC signature verification and provide time-limited access.
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+import { createLogger } from '../../common/logger.js';
+import { VorionError, ValidationError } from '../../common/errors.js';
+const logger = createLogger({ component: 'service-token' });
+export const serviceTokenPayloadSchema = z.object({
+    sub: z.string(), // clientId
+    tid: z.string().uuid(), // tenantId
+    svc: z.string(), // service name
+    permissions: z.array(z.string()),
+    type: z.literal('service'),
+    ip: z.string().optional(),
+    iat: z.number().optional(),
+    exp: z.number().optional(),
+    jti: z.string().optional(),
+    iss: z.string().optional(),
+    aud: z.union([z.string(), z.array(z.string())]).optional(),
+});
+export const serviceSignatureSchema = z.object({
+    timestamp: z.number().int().positive(),
+    method: z.string().min(1),
+    path: z.string().min(1),
+    bodyHash: z.string(),
+    signature: z.string().min(1),
+});
+export const tokenVerificationResultSchema = z.object({
+    valid: z.boolean(),
+    payload: serviceTokenPayloadSchema.optional(),
+    error: z.string().optional(),
+    errorCode: z.enum(['EXPIRED', 'INVALID_SIGNATURE', 'INVALID_FORMAT', 'REVOKED', 'INVALID_ISSUER']).optional(),
+});
+// =============================================================================
+// ERRORS
+// =============================================================================
+/**
+ * Service token error
+ */
+export class ServiceTokenError extends VorionError {
+    code = 'SERVICE_TOKEN_ERROR';
+    statusCode = 401;
+    constructor(message, details) {
+        super(message, details);
+        this.name = 'ServiceTokenError';
+    }
+}
+/**
+ * Token expired error
+ */
+export class TokenExpiredError extends ServiceTokenError {
+    code = 'TOKEN_EXPIRED';
+    constructor(expiredAt) {
+        super(`Token expired at ${expiredAt.toISOString()}`, { expiredAt: expiredAt.toISOString() });
+        this.name = 'TokenExpiredError';
+    }
+}
+/**
+ * Invalid signature error
+ */
+export class InvalidSignatureError extends ServiceTokenError {
+    code = 'INVALID_SIGNATURE';
+    constructor(reason) {
+        super(`Invalid signature: ${reason}`, { reason });
+        this.name = 'InvalidSignatureError';
+    }
+}
+/**
+ * Signature timestamp error (clock skew)
+ */
+export class SignatureTimestampError extends ServiceTokenError {
+    code = 'SIGNATURE_TIMESTAMP_ERROR';
+    constructor(timestamp, currentTime, maxSkewSeconds) {
+        super(`Signature timestamp outside allowed window (${maxSkewSeconds}s)`, { timestamp, currentTime, maxSkewSeconds });
+        this.name = 'SignatureTimestampError';
+    }
+}
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+/** Default token TTL in seconds (5 minutes) */
+export const DEFAULT_TOKEN_TTL_SECONDS = 300;
+/** Maximum allowed clock skew for signature validation (5 minutes) */
+export const MAX_CLOCK_SKEW_SECONDS = 300;
+/** Minimum token TTL in seconds */
+export const MIN_TOKEN_TTL_SECONDS = 60;
+/** Maximum token TTL in seconds (1 hour) */
+export const MAX_TOKEN_TTL_SECONDS = 3600;
+/** Service token issuer */
+export const SERVICE_TOKEN_ISSUER = 'vorion:service-auth';
+/** Header names for service authentication */
+export const SERVICE_AUTH_HEADERS = {
+    SERVICE_ID: 'x-service-id',
+    SERVICE_SIGNATURE: 'x-service-signature',
+    SERVICE_TIMESTAMP: 'x-service-timestamp',
+};
+// =============================================================================
+// JWT UTILITIES (Manual implementation to avoid ESM issues with jose)
+// =============================================================================
+/**
+ * Base64url encode a string or buffer
+ */
+function base64urlEncode(input) {
+    const buffer = typeof input === 'string' ? Buffer.from(input) : input;
+    return buffer.toString('base64url');
+}
+/**
+ * Base64url decode a string
+ */
+function base64urlDecode(input) {
+    return Buffer.from(input, 'base64url');
+}
+/**
+ * Create HMAC-SHA256 signature for JWT
+ */
+function createJWTSignature(headerB64, payloadB64, secret) {
+    const hmac = createHmac('sha256', secret);
+    hmac.update(`${headerB64}.${payloadB64}`);
+    return hmac.digest('base64url');
+}
+/**
+ * Create a JWT token manually
+ */
+function createJWT(payload, secret) {
+    const header = {
+        alg: 'HS256',
+        typ: 'JWT',
+    };
+    const headerB64 = base64urlEncode(JSON.stringify(header));
+    const payloadB64 = base64urlEncode(JSON.stringify(payload));
+    const signature = createJWTSignature(headerB64, payloadB64, secret);
+    return `${headerB64}.${payloadB64}.${signature}`;
+}
+/**
+ * Verify and decode a JWT token
+ */
+function verifyJWT(token, secret, options) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            return { valid: false, error: 'Invalid token format' };
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Verify signature
+        const expectedSignature = createJWTSignature(headerB64, payloadB64, secret);
+        const providedSignatureBuffer = Buffer.from(signatureB64, 'base64url');
+        const expectedSignatureBuffer = Buffer.from(expectedSignature, 'base64url');
+        if (providedSignatureBuffer.length !== expectedSignatureBuffer.length) {
+            return { valid: false, error: 'Invalid signature' };
+        }
+        if (!timingSafeEqual(providedSignatureBuffer, expectedSignatureBuffer)) {
+            return { valid: false, error: 'Invalid signature' };
+        }
+        // Decode header
+        const header = JSON.parse(base64urlDecode(headerB64).toString('utf8'));
+        if (header.alg !== 'HS256') {
+            return { valid: false, error: 'Unsupported algorithm' };
+        }
+        // Decode payload
+        const payload = JSON.parse(base64urlDecode(payloadB64).toString('utf8'));
+        // Check expiration
+        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+            return { valid: false, error: 'Token has expired' };
+        }
+        // Check issuer
+        if (options?.issuer && payload.iss !== options.issuer) {
+            return { valid: false, error: 'Invalid issuer' };
+        }
+        // Check audience
+        if (options?.audience) {
+            const tokenAud = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+            if (!tokenAud.includes(options.audience)) {
+                return { valid: false, error: 'Invalid audience' };
+            }
+        }
+        return { valid: true, payload };
+    }
+    catch (error) {
+        logger.warn({ error }, 'JWT verification failed');
+        return { valid: false, error: 'Invalid token format' };
+    }
+}
+export const serviceTokenServiceConfigSchema = z.object({
+    signingSecret: z.string().min(32),
+    tokenTTL: z.number().int().min(MIN_TOKEN_TTL_SECONDS).max(MAX_TOKEN_TTL_SECONDS).optional(),
+    issuer: z.string().optional(),
+    audience: z.string().optional(),
+    maxClockSkew: z.number().int().positive().optional(),
+});
+/**
+ * Service token service for creating and verifying JWT tokens
+ */
+export class ServiceTokenService {
+    signingKey;
+    tokenTTL;
+    issuer;
+    audience;
+    maxClockSkew;
+    constructor(config) {
+        const validated = serviceTokenServiceConfigSchema.parse(config);
+        this.signingKey = Buffer.from(validated.signingSecret, 'utf8');
+        this.tokenTTL = validated.tokenTTL ?? DEFAULT_TOKEN_TTL_SECONDS;
+        this.issuer = validated.issuer ?? SERVICE_TOKEN_ISSUER;
+        this.audience = validated.audience;
+        this.maxClockSkew = validated.maxClockSkew ?? MAX_CLOCK_SKEW_SECONDS;
+    }
+    /**
+     * Create a service token
+     */
+    async createToken(params) {
+        const { clientId, tenantId, serviceName, permissions, ipAddress, customTTL } = params;
+        const ttl = customTTL ?? this.tokenTTL;
+        if (ttl < MIN_TOKEN_TTL_SECONDS || ttl > MAX_TOKEN_TTL_SECONDS) {
+            throw new ValidationError(`Token TTL must be between ${MIN_TOKEN_TTL_SECONDS} and ${MAX_TOKEN_TTL_SECONDS} seconds`);
+        }
+        const now = Math.floor(Date.now() / 1000);
+        const jti = randomBytes(16).toString('hex');
+        const payload = {
+            sub: clientId,
+            tid: tenantId,
+            svc: serviceName,
+            permissions,
+            type: 'service',
+            ip: ipAddress,
+            iat: now,
+            exp: now + ttl,
+            jti,
+            iss: this.issuer,
+        };
+        if (this.audience) {
+            payload.aud = this.audience;
+        }
+        const token = createJWT(payload, this.signingKey);
+        logger.debug({ clientId, tenantId, serviceName, jti, ttl }, 'Service token created');
+        return token;
+    }
+    /**
+     * Verify and decode a service token
+     */
+    async verifyToken(token) {
+        const result = verifyJWT(token, this.signingKey, {
+            issuer: this.issuer,
+            audience: this.audience,
+        });
+        if (!result.valid) {
+            let errorCode = 'INVALID_FORMAT';
+            if (result.error?.includes('expired')) {
+                errorCode = 'EXPIRED';
+            }
+            else if (result.error?.includes('signature')) {
+                errorCode = 'INVALID_SIGNATURE';
+            }
+            else if (result.error?.includes('issuer')) {
+                errorCode = 'INVALID_ISSUER';
+            }
+            return {
+                valid: false,
+                error: result.error,
+                errorCode,
+            };
+        }
+        try {
+            // Validate payload structure
+            const validatedPayload = serviceTokenPayloadSchema.parse(result.payload);
+            // Check type
+            if (validatedPayload.type !== 'service') {
+                return {
+                    valid: false,
+                    error: 'Invalid token type',
+                    errorCode: 'INVALID_FORMAT',
+                };
+            }
+            return {
+                valid: true,
+                payload: validatedPayload,
+            };
+        }
+        catch (error) {
+            logger.warn({ error }, 'Token payload validation failed');
+            return {
+                valid: false,
+                error: 'Invalid token payload',
+                errorCode: 'INVALID_FORMAT',
+            };
+        }
+    }
+    /**
+     * Create an HMAC signature for a request
+     */
+    createSignature(params) {
+        const { clientSecret, timestamp, method, path, body } = params;
+        // Create message to sign: timestamp + method + path + body
+        const bodyStr = body ? (Buffer.isBuffer(body) ? body.toString('utf8') : body) : '';
+        const message = `${timestamp}.${method.toUpperCase()}.${path}.${bodyStr}`;
+        // Create HMAC-SHA256 signature
+        const hmac = createHmac('sha256', clientSecret);
+        hmac.update(message);
+        const signature = hmac.digest('hex');
+        return signature;
+    }
+    /**
+     * Verify a request signature
+     */
+    verifySignature(params) {
+        const { clientSecret, providedSignature, timestamp, method, path, body } = params;
+        // Check timestamp is within allowed window
+        const currentTime = Math.floor(Date.now() / 1000);
+        const timeDiff = Math.abs(currentTime - timestamp);
+        if (timeDiff > this.maxClockSkew) {
+            return {
+                valid: false,
+                error: `Timestamp outside allowed window (${this.maxClockSkew}s)`,
+                errorCode: 'CLOCK_SKEW',
+            };
+        }
+        // Calculate expected signature
+        const expectedSignature = this.createSignature({
+            clientSecret,
+            timestamp,
+            method,
+            path,
+            body,
+        });
+        // Timing-safe comparison
+        if (providedSignature.length !== expectedSignature.length) {
+            return {
+                valid: false,
+                error: 'Invalid signature',
+                errorCode: 'INVALID_SIGNATURE',
+            };
+        }
+        const providedBuffer = Buffer.from(providedSignature, 'hex');
+        const expectedBuffer = Buffer.from(expectedSignature, 'hex');
+        if (providedBuffer.length !== expectedBuffer.length) {
+            return {
+                valid: false,
+                error: 'Invalid signature format',
+                errorCode: 'INVALID_SIGNATURE',
+            };
+        }
+        const isValid = timingSafeEqual(providedBuffer, expectedBuffer);
+        if (!isValid) {
+            return {
+                valid: false,
+                error: 'Signature verification failed',
+                errorCode: 'INVALID_SIGNATURE',
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Parse service auth headers from a request
+     */
+    parseAuthHeaders(headers) {
+        const getHeader = (name) => {
+            const value = headers[name] ?? headers[name.toLowerCase()];
+            if (Array.isArray(value)) {
+                return value[0] ?? null;
+            }
+            return value ?? null;
+        };
+        const clientId = getHeader(SERVICE_AUTH_HEADERS.SERVICE_ID);
+        const signature = getHeader(SERVICE_AUTH_HEADERS.SERVICE_SIGNATURE);
+        const timestampStr = getHeader(SERVICE_AUTH_HEADERS.SERVICE_TIMESTAMP);
+        let timestamp = null;
+        if (timestampStr) {
+            const parsed = parseInt(timestampStr, 10);
+            if (!isNaN(parsed)) {
+                timestamp = parsed;
+            }
+        }
+        return { clientId, signature, timestamp };
+    }
+    /**
+     * Get token TTL
+     */
+    getTokenTTL() {
+        return this.tokenTTL;
+    }
+    /**
+     * Get max clock skew
+     */
+    getMaxClockSkew() {
+        return this.maxClockSkew;
+    }
+}
+// =============================================================================
+// SINGLETON MANAGEMENT
+// =============================================================================
+let defaultTokenService = null;
+/**
+ * Initialize the default service token service
+ */
+export function initializeServiceTokenService(config) {
+    defaultTokenService = new ServiceTokenService(config);
+    return defaultTokenService;
+}
+/**
+ * Get the default service token service
+ */
+export function getServiceTokenService() {
+    if (!defaultTokenService) {
+        throw new Error('ServiceTokenService not initialized. Call initializeServiceTokenService first.');
+    }
+    return defaultTokenService;
+}
+/**
+ * Create a new service token service instance
+ */
+export function createServiceTokenService(config) {
+    return new ServiceTokenService(config);
+}
+/**
+ * Reset the singleton (for testing)
+ */
+export function resetServiceTokenService() {
+    defaultTokenService = null;
+}
+// =============================================================================
+// UTILITY FUNCTIONS
+// =============================================================================
+/**
+ * Create signature headers for a request
+ */
+export function createServiceAuthHeaders(params) {
+    const { clientId, clientSecret, method, path, body } = params;
+    const tokenService = params.tokenService ?? getServiceTokenService();
+    const timestamp = Math.floor(Date.now() / 1000);
+    const signature = tokenService.createSignature({
+        clientSecret,
+        timestamp,
+        method,
+        path,
+        body,
+    });
+    return {
+        [SERVICE_AUTH_HEADERS.SERVICE_ID]: clientId,
+        [SERVICE_AUTH_HEADERS.SERVICE_SIGNATURE]: signature,
+        [SERVICE_AUTH_HEADERS.SERVICE_TIMESTAMP]: timestamp.toString(),
+    };
+}
+/**
+ * Extract service ID from authorization header if present
+ */
+export function extractServiceIdFromBearer(authHeader) {
+    if (!authHeader?.startsWith('Bearer ')) {
+        return null;
+    }
+    // Try to decode the token to get the service ID
+    // This is a lightweight check without verification
+    try {
+        const token = authHeader.slice(7);
+        const [, payloadB64] = token.split('.');
+        if (!payloadB64)
+            return null;
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+        if (payload.type === 'service' && payload.sub) {
+            return payload.sub;
+        }
+    }
+    catch {
+        // Invalid token format
+    }
+    return null;
+}
+//# sourceMappingURL=service-token.js.map

package/dist/security/service-auth/service-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-token.js","sourceRoot":"","sources":["../../../src/security/service-auth/service-token.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACvE,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEtE,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;AA0C5D,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,WAAW;IAC5B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,WAAW;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,eAAe;IAChC,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC1B,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC3D,CAAC,CAAC;AAkBH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACtC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC,CAAC;AAgBH,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;IAClB,OAAO,EAAE,yBAAyB,CAAC,QAAQ,EAAE;IAC7C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC9G,CAAC,CAAC;AAgBH,gFAAgF;AAChF,SAAS;AACT,gFAAgF;AAEhF;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,WAAW;IACvC,IAAI,GAAG,qBAAqB,CAAC;IAC7B,UAAU,GAAG,GAAG,CAAC;IAE1B,YAAY,OAAe,EAAE,OAAiC;QAC5D,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,iBAAiB;IAC7C,IAAI,GAAG,eAAe,CAAC;IAEhC,YAAY,SAAe;QACzB,KAAK,CAAC,oBAAoB,SAAS,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAC7F,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,qBAAsB,SAAQ,iBAAiB;IACjD,IAAI,GAAG,mBAAmB,CAAC;IAEpC,YAAY,MAAc;QACxB,KAAK,CAAC,sBAAsB,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,uBAAwB,SAAQ,iBAAiB;IACnD,IAAI,GAAG,2BAA2B,CAAC;IAE5C,YAAY,SAAiB,EAAE,WAAmB,EAAE,cAAsB;QACxE,KAAK,CACH,+CAA+C,cAAc,IAAI,EACjE,EAAE,SAAS,EAAE,WAAW,EAAE,cAAc,EAAE,CAC3C,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF,+CAA+C;AAC/C,MAAM,CAAC,MAAM,yBAAyB,GAAG,GAAG,CAAC;AAE7C,sEAAsE;AACtE,MAAM,CAAC,MAAM,sBAAsB,GAAG,GAAG,CAAC;AAE1C,mCAAmC;AACnC,MAAM,CAAC,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAExC,4CAA4C;AAC5C,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAE1C,2BAA2B;AAC3B,MAAM,CAAC,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;AAE1D,8CAA8C;AAC9C,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,UAAU,EAAE,cAAc;IAC1B,iBAAiB,EAAE,qBAAqB;IACxC,iBAAiB,EAAE,qBAAqB;CAChC,CAAC;AAEX,gFAAgF;AAChF,sEAAsE;AACtE,gFAAgF;AAEhF;;GAEG;AACH,SAAS,eAAe,CAAC,KAAsB;IAC7C,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACtE,OAAO,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,SAAiB,EAAE,UAAkB,EAAE,MAAc;IAC/E,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC,CAAC;IAC1C,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,OAAgC,EAAE,MAAc;IACjE,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,kBAAkB,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IAEpE,OAAO,GAAG,SAAS,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAChB,KAAa,EACb,MAAc,EACd,OAAgD;IAEhD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;QACzD,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,mBAAmB;QACnB,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAC5E,MAAM,uBAAuB,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QACvE,MAAM,uBAAuB,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAE5E,IAAI,uBAAuB,CAAC,MAAM,KAAK,uBAAuB,CAAC,MAAM,EAAE,CAAC;YACtE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,eAAe,CAAC,uBAAuB,EAAE,uBAAuB,CAAC,EAAE,CAAC;YACvE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,gBAAgB;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QAC1D,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAEzE,mBAAmB;QACnB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,eAAe;QACf,IAAI,OAAO,EAAE,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC;YACtD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;QACnD,CAAC;QAED,iBAAiB;QACjB,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC1E,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;YACrD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,yBAAyB,CAAC,CAAC;QAClD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;IACzD,CAAC;AACH,CAAC;AAsBD,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,QAAQ,EAAE;IAC3F,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,OAAO,mBAAmB;IACb,UAAU,CAAS;IACnB,QAAQ,CAAS;IACjB,MAAM,CAAS;IACf,QAAQ,CAAqB;IAC7B,YAAY,CAAS;IAEtC,YAAY,MAAiC;QAC3C,MAAM,SAAS,GAAG,+BAA+B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEhE,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAC/D,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC,QAAQ,IAAI,yBAAyB,CAAC;QAChE,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,oBAAoB,CAAC;QACvD,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC;QACnC,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC,YAAY,IAAI,sBAAsB,CAAC;IACvE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,MAOjB;QACC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;QAEtF,MAAM,GAAG,GAAG,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC;QACvC,IAAI,GAAG,GAAG,qBAAqB,IAAI,GAAG,GAAG,qBAAqB,EAAE,CAAC;YAC/D,MAAM,IAAI,eAAe,CAAC,6BAA6B,qBAAqB,QAAQ,qBAAqB,UAAU,CAAC,CAAC;QACvH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE5C,MAAM,OAAO,GAAwB;YACnC,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,WAAW;YAChB,WAAW;YACX,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,SAAS;YACb,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,GAAG;YACd,GAAG;YACH,GAAG,EAAE,IAAI,CAAC,MAAM;SACjB,CAAC;QAEF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,CAAC;QAED,MAAM,KAAK,GAAG,SAAS,CAAC,OAA6C,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAExF,MAAM,CAAC,KAAK,CACV,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,EAAE,GAAG,EAAE,EAC7C,uBAAuB,CACxB,CAAC;QAEF,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE;YAC/C,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,SAAS,GAAyC,gBAAgB,CAAC;YACvE,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACtC,SAAS,GAAG,SAAS,CAAC;YACxB,CAAC;iBAAM,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC/C,SAAS,GAAG,mBAAmB,CAAC;YAClC,CAAC;iBAAM,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5C,SAAS,GAAG,gBAAgB,CAAC;YAC/B,CAAC;YAED,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,SAAS;aACV,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,6BAA6B;YAC7B,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEzE,aAAa;YACb,IAAI,gBAAgB,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACxC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,oBAAoB;oBAC3B,SAAS,EAAE,gBAAgB;iBAC5B,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,OAAO,EAAE,gBAAuC;aACjD,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,iCAAiC,CAAC,CAAC;YAC1D,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,uBAAuB;gBAC9B,SAAS,EAAE,gBAAgB;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,MAMf;QACC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;QAE/D,2DAA2D;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACnF,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,IAAI,OAAO,EAAE,CAAC;QAE1E,+BAA+B;QAC/B,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAChD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,MAOf;QACC,MAAM,EAAE,YAAY,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;QAElF,2CAA2C;QAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,GAAG,SAAS,CAAC,CAAC;QAEnD,IAAI,QAAQ,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACjC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,qCAAqC,IAAI,CAAC,YAAY,IAAI;gBACjE,SAAS,EAAE,YAAY;aACxB,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC;YAC7C,YAAY;YACZ,SAAS;YACT,MAAM;YACN,IAAI;YACJ,IAAI;SACL,CAAC,CAAC;QAEH,yBAAyB;QACzB,IAAI,iBAAiB,CAAC,MAAM,KAAK,iBAAiB,CAAC,MAAM,EAAE,CAAC;YAC1D,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,mBAAmB;gBAC1B,SAAS,EAAE,mBAAmB;aAC/B,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;QAE7D,IAAI,cAAc,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;YACpD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,0BAA0B;gBACjC,SAAS,EAAE,mBAAmB;aAC/B,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAEhE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,+BAA+B;gBACtC,SAAS,EAAE,mBAAmB;aAC/B,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,OAAsD;QAKrE,MAAM,SAAS,GAAG,CAAC,IAAY,EAAiB,EAAE;YAChD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC3D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YAC1B,CAAC;YACD,OAAO,KAAK,IAAI,IAAI,CAAC;QACvB,CAAC,CAAC;QAEF,MAAM,QAAQ,GAAG,SAAS,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC;QAC5D,MAAM,SAAS,GAAG,SAAS,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,CAAC;QACpE,MAAM,YAAY,GAAG,SAAS,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,CAAC;QAEvE,IAAI,SAAS,GAAkB,IAAI,CAAC;QACpC,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,MAAM,GAAG,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC1C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnB,SAAS,GAAG,MAAM,CAAC;YACrB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;CACF;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF,IAAI,mBAAmB,GAA+B,IAAI,CAAC;AAE3D;;GAEG;AACH,MAAM,UAAU,6BAA6B,CAAC,MAAiC;IAC7E,mBAAmB,GAAG,IAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACtD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB;IACpC,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,gFAAgF,CAAC,CAAC;IACpG,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAiC;IACzE,OAAO,IAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,mBAAmB,GAAG,IAAI,CAAC;AAC7B,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAOxC;IACC,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;IAC9D,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,sBAAsB,EAAE,CAAC;IAErE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,YAAY,CAAC,eAAe,CAAC;QAC7C,YAAY;QACZ,SAAS;QACT,MAAM;QACN,IAAI;QACJ,IAAI;KACL,CAAC,CAAC;IAEH,OAAO;QACL,CAAC,oBAAoB,CAAC,UAAU,CAAC,EAAE,QAAQ;QAC3C,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,EAAE,SAAS;QACnD,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,EAAE,SAAS,CAAC,QAAQ,EAAE;KAC/D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CAAC,UAA8B;IACvE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gDAAgD;IAChD,mDAAmD;IACnD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAE7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC5E,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAC9C,OAAO,OAAO,CAAC,GAAG,CAAC;QACrB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;IACzB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/security/session-manager.d.ts

@@ -0,0 +1,177 @@
+/**
+ * Session Manager - High-level session management
+ *
+ * Provides secure session lifecycle management including:
+ * - Session creation with device tracking
+ * - Session validation with security checks
+ * - Revocation on security events
+ * - Re-authentication for sensitive operations
+ *
+ * @packageDocumentation
+ */
+import { type Session, type CreateSessionInput, type SessionStoreConfig } from './session-store.js';
+import { type RequestHeaders, type FingerprintValidationResult } from './fingerprint-service.js';
+/**
+ * Session manager configuration
+ */
+export interface SessionManagerConfig extends Partial<SessionStoreConfig> {
+    /** Require re-authentication for sensitive operations */
+    requireReauthForSensitive: boolean;
+    /** Time window for sensitive operations after auth (seconds) */
+    sensitiveOperationWindow: number;
+    /** Inactivity timeout before requiring re-auth (seconds) */
+    inactivityTimeout: number;
+    /** Whether to revoke sessions on password change */
+    revokeOnPasswordChange: boolean;
+    /** Whether to revoke sessions on email change */
+    revokeOnEmailChange: boolean;
+    /** Whether to detect concurrent sessions from different locations */
+    detectConcurrentSessions: boolean;
+    /** Whether to validate fingerprints on session validation */
+    fingerprintEnabled: boolean;
+    /** Fingerprint strictness: 'warn' logs mismatches, 'block' rejects */
+    fingerprintStrictness: 'warn' | 'block';
+}
+/**
+ * Options for session regeneration
+ */
+export interface RegenerateSessionOptions {
+    /** New IP address for the session (defaults to old session's IP) */
+    ipAddress?: string;
+    /** New user agent for the session (defaults to old session's userAgent) */
+    userAgent?: string;
+    /** New device fingerprint */
+    deviceFingerprint?: string;
+    /** Additional metadata to merge */
+    metadata?: Record<string, unknown>;
+    /** Reason for regeneration (for audit/logging) */
+    reason?: string;
+}
+/**
+ * Session validation result
+ */
+export interface SessionValidationResult {
+    valid: boolean;
+    session?: Session;
+    reason?: string;
+    requiresReauth?: boolean;
+    securityWarnings?: string[];
+    /** Fingerprint validation result if fingerprinting is enabled */
+    fingerprintValidation?: FingerprintValidationResult;
+}
+/**
+ * Sensitive operation types that may require re-authentication
+ */
+export type SensitiveOperation = 'password_change' | 'email_change' | 'mfa_change' | 'api_key_create' | 'delete_account' | 'export_data' | 'admin_action' | 'high_value_transaction';
+/**
+ * Session manager for secure session lifecycle
+ */
+export declare class SessionManager {
+    private store;
+    private config;
+    private fingerprintService;
+    constructor(config?: Partial<SessionManagerConfig>);
+    /**
+     * Create a new session for a user
+     */
+    createSession(input: CreateSessionInput): Promise<Session>;
+    /**
+     * Validate a session and check security conditions
+     */
+    validateSession(sessionId: string, options?: {
+        operation?: SensitiveOperation;
+        ipAddress?: string;
+        checkInactivity?: boolean;
+        /** Request headers for fingerprint validation */
+        requestHeaders?: RequestHeaders;
+    }): Promise<SessionValidationResult>;
+    /**
+     * Revoke a specific session
+     */
+    revokeSession(sessionId: string, reason: string, revokedBy?: string): Promise<boolean>;
+    /**
+     * Revoke all sessions for a user (e.g., on password change)
+     */
+    revokeAllUserSessions(userId: string, reason: string, revokedBy?: string, exceptCurrentSession?: string): Promise<number>;
+    /**
+     * Revoke other sessions (keep current)
+     */
+    revokeOtherSessions(userId: string, currentSessionId: string, reason?: string): Promise<number>;
+    /**
+     * Regenerate a session with a new ID while preserving session data
+     *
+     * This is a security best practice after privilege changes (e.g., login,
+     * role change, password reset) to prevent session fixation attacks.
+     *
+     * Steps performed:
+     * 1. Gets the old session data
+     * 2. Creates a new session with the same data (optionally with updates)
+     * 3. Revokes the old session
+     * 4. Returns the new session
+     *
+     * @param oldSessionId - The current session ID to regenerate
+     * @param options - Options for the new session
+     * @returns The new session, or null if old session doesn't exist
+     */
+    regenerateSession(oldSessionId: string, options?: RegenerateSessionOptions): Promise<Session | null>;
+    /**
+     * Compute and store fingerprint for a session
+     *
+     * Use this when creating sessions to enable fingerprint validation.
+     *
+     * @param sessionId - Session to update
+     * @param headers - Request headers for fingerprint computation
+     * @returns The computed fingerprint, or null if session not found
+     */
+    setSessionFingerprint(sessionId: string, headers: RequestHeaders): Promise<string | null>;
+    /**
+     * Handle password change - revoke all sessions if configured
+     */
+    onPasswordChange(userId: string, currentSessionId?: string): Promise<{
+        revokedCount: number;
+    }>;
+    /**
+     * Handle email change - revoke all sessions if configured
+     */
+    onEmailChange(userId: string, currentSessionId?: string): Promise<{
+        revokedCount: number;
+    }>;
+    /**
+     * Handle security incident - revoke all sessions immediately
+     */
+    onSecurityIncident(userId: string, incidentType: string, details?: string): Promise<{
+        revokedCount: number;
+    }>;
+    /**
+     * Get all active sessions for a user
+     */
+    getUserSessions(userId: string): Promise<Session[]>;
+    /**
+     * Get session count for a user
+     */
+    getUserSessionCount(userId: string): Promise<number>;
+    /**
+     * Record that user re-authenticated (for sensitive operations)
+     */
+    recordReauthentication(sessionId: string): Promise<boolean>;
+    /**
+     * Check if an operation requires re-authentication
+     */
+    private operationRequiresReauth;
+    /**
+     * Check for suspicious concurrent sessions
+     */
+    private checkConcurrentSessions;
+}
+/**
+ * Get the session manager singleton
+ */
+export declare function getSessionManager(config?: Partial<SessionManagerConfig>): SessionManager;
+/**
+ * Create a new session manager instance (for testing)
+ */
+export declare function createSessionManager(config?: Partial<SessionManagerConfig>): SessionManager;
+export type { Session, CreateSessionInput, SessionStoreConfig };
+export type { RequestHeaders, FingerprintValidationResult };
+export { extractFingerprintHeaders } from './fingerprint-service.js';
+//# sourceMappingURL=session-manager.d.ts.map

package/dist/security/session-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.d.ts","sourceRoot":"","sources":["../../src/security/session-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAGL,KAAK,OAAO,EACZ,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIL,KAAK,cAAc,EACnB,KAAK,2BAA2B,EACjC,MAAM,0BAA0B,CAAC;AAIlC;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO,CAAC,kBAAkB,CAAC;IACvE,yDAAyD;IACzD,yBAAyB,EAAE,OAAO,CAAC;IACnC,gEAAgE;IAChE,wBAAwB,EAAE,MAAM,CAAC;IACjC,4DAA4D;IAC5D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oDAAoD;IACpD,sBAAsB,EAAE,OAAO,CAAC;IAChC,iDAAiD;IACjD,mBAAmB,EAAE,OAAO,CAAC;IAC7B,qEAAqE;IACrE,wBAAwB,EAAE,OAAO,CAAC;IAClC,6DAA6D;IAC7D,kBAAkB,EAAE,OAAO,CAAC;IAC5B,sEAAsE;IACtE,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,oEAAoE;IACpE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6BAA6B;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,kDAAkD;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAaD;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,2BAA2B,CAAC;CACrD;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B,iBAAiB,GACjB,cAAc,GACd,YAAY,GACZ,gBAAgB,GAChB,gBAAgB,GAChB,aAAa,GACb,cAAc,GACd,wBAAwB,CAAC;AAE7B;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,kBAAkB,CAAqB;gBAEnC,MAAM,GAAE,OAAO,CAAC,oBAAoB,CAAM;IAMtD;;OAEG;IACG,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IAShE;;OAEG;IACG,eAAe,CACnB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,kBAAkB,CAAC;QAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,iDAAiD;QACjD,cAAc,CAAC,EAAE,cAAc,CAAC;KACjC,GACA,OAAO,CAAC,uBAAuB,CAAC;IA2FnC;;OAEG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC;IAInB;;OAEG;IACG,qBAAqB,CACzB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,SAAS,CAAC,EAAE,MAAM,EAClB,oBAAoB,CAAC,EAAE,MAAM,GAC5B,OAAO,CAAC,MAAM,CAAC;IAIlB;;OAEG;IACG,mBAAmB,CACvB,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,EACxB,MAAM,GAAE,MAAkD,GACzD,OAAO,CAAC,MAAM,CAAC;IAIlB;;;;;;;;;;;;;;;OAeG;IACG,iBAAiB,CACrB,YAAY,EAAE,MAAM,EACpB,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAkD1B;;;;;;;;OAQG;IACG,qBAAqB,CACzB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiCzB;;OAEG;IACG,gBAAgB,CACpB,MAAM,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,GACxB,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IAoBpC;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,GACxB,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IAoBpC;;OAEG;IACG,kBAAkB,CACtB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IAYpC;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAIzD;;OAEG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK1D;;OAEG;IACG,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAuBjE;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA2B/B;;OAEG;YACW,uBAAuB;CAwBtC;AAOD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,cAAc,CAKxF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,cAAc,CAE3F;AAGD,YAAY,EAAE,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,CAAC;AAGhE,YAAY,EAAE,cAAc,EAAE,2BAA2B,EAAE,CAAC;AAC5D,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC"}